New Vehicle Hack Exposes Users’ Private Data Via Bluetooth

People who have synced their mobile phones with a wide variety of vehicle infotainment systems may have have their personal information exposed to a new type of vehicle hack, security researchers say.

A researcher from Privacy4Cars, which offers a mobile app that can erase Personally Identifiable Information (PII) from modern vehicles, have discovered that vehicles from several car makers can expose user data via the Bluetooth protocol.

Dubbed CarsBlues, the new vehicle hack targets the infotainment systems in modern vehicles and allows an attacker to access user information within minutes, using only inexpensive and readily available hardware and software. No significant technical knowledge is required either, the company claims.

Tens of millions of vehicles already in circulation worldwide are believed to be impacted, and the number continues to rise into the millions as more vehicles are evaluated. Exposed information includes contacts, call logs, text logs, and even text messages in the full, in some cases.

Discovered by Privacy4Cars founder Andrea Amico, the hack mainly impacts users who synced their phones to vehicles that are no longer under their direct oversight. These include rented vehicles, as well as cars “shared through a fleet or subscription service, loaned, sold, returned at the end of a lease, repossessed, or deemed a total loss.”

“Additionally, people who have synced their phones and given others temporary access to their personal vehicle, such as at dealerships’ service centers, repair shops, peer-to-peer exchanges, and valets may also be at risk for CarsBlues,” Privacy4Cars says.

Amico has notified the Automotive Information Sharing and Analysis Center (Auto-ISAC) organization and also worked with it to help its impacted members understand how an attacker might access their personal information. The hack can be performed without the owner/user being aware and without the mobile device being connected to the system.

“Now that we have completed our ethical disclosure with the Auto-ISAC, we are turning our focus to educating the industry and the public about the risks associated with leaving personal information in vehicle systems,” Amico said.

Some of the impacted carmakers have already updated their new 2019 models, to ensure that they are no longer impacted by CarsBlues.

With many vehicle models from a broad range of car makers impacted, users are advised to delete any personal data they might have synced to their vehicle’s infotainment system before allowing anyone else access their vehicle. Privacy4Cars also notes that industry policies to protect consumer data should be created, either by helping customers delete the data or by having industry players erase it.

“The CarsBlues hack, given its ease to replicate, the breadth of situations in which it can be performed against unsuspecting targets, and the difficulty in detecting the exploitation, is a clear indication that industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems,” Amico said.